Zahra. Chehri. 8) Malware
Malware Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software.]'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.[2] Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software, and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.[3] In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states.[4][5] Malware is not the same as defective software, which is software that has a legitimate purpose but contains harmful bugs that were not corrected before release. However, some malware is disguised as genuine software, and may come from an official company website. An example of this is software used for harmless purposes that is packed with additional tracking software that gathers marketing statistics. Malware has caused the rise in use of protective software types such as anti virus, anti-malware, and firewalls. Each of these are commonly used by personal users and corporate networks in order to stop the unauthorized access by other computer users, as well as the automated spread of malicious scripts and software. Purposes http://en.wikipedia.org/wiki/File:Malware_statics_2011-03-16-en.svg Malware by categories on March 16, 2011. Many early infectious programs, including the first Internet Worm, were written as experiments or pranks. Today, malware is used primarily to steal sensitive personal, financial, or business information for the benefit of others. Malware is sometimes used broadly against government or corporate websites to gather guarded information, or to disrupt their operation in general. However, malware is often used against individuals to gain personal information such as social security numbers, bank or credit card numbers, and so on. Left un-guarded, personal and networked computers can be at considerable risk against these threats. (These are most frequently counter-acted by various types of firewalls, anti virus software, and network hardware). Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.[6] Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography,[7] or to engage in distributed denial-of-service attacks as a form of extortion.[8] Another strictly for-profit category of malware has emerged, called spyware. These programs are designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; instead they are generally installed by exploiting security holes. They can also be packaged together with user-installed software, such as peer-to-peer applications. Proliferation Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[9] According to F-Secure, "As much malware was produced in 2007 as in the previous 20 years altogether."[10] Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.[11] The prevalence of malware as a vehicle for Internet crime, along with the challenge of anti-malware software to keep up with the continuous stream of new malware, has seen the adoption of a new mindset for individuals and businesses using the Internet. With the amount of malware currently being distributed, some percentage of computers will always be infected. For businesses, especially those that sell mainly over the Internet, this means they need to find a way to operate despite security concerns. The result is a greater emphasis on back-office protection designed to protect against advanced malware operating on customers' computers.[12] On March 29, 2010, Symantec Corporation named Shaoxing, China, as the world's malware capital.[13] A 2011 study from the University of California, Berkeley, and the Madrid Institute for Advanced Studies published an article in Software Development Technologies, examining how entrepreneurial hackers are helping enable the spread of malware by offering access to computers for a price. Microsoft reported in May 2011 that one in every 14 downloads from the Internet may now contain malware code. Social media, and Facebook in particular, are seeing a rise in the number of tactics used to spread malware to computers.[14] Infectious malware: viruses and worms Main articles: ''[http://en.wikipedia.org/wiki/Computer_virus ''Computer virus]'' and [http://en.wikipedia.org/wiki/Computer_worm ''Computer worm] The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any specific types of behavior. The term [http://en.wikipedia.org/wiki/Computer_virus computer virus] is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. On the other hand, a [http://en.wikipedia.org/wiki/Computer_worm worm] is a program that actively transmits itself over a network to infect other computers. These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms. Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably. Concealment: Viruses, trojan horses, rootkits, and backdoors Viruses Strategies that viruses use to conceal themselves are described in the computer virus article. Trojan horses For a malicious program to accomplish its goals, it must be able to run without being detected, shut down, or deleted. When a malicious program is disguised as something normal or desirable, users may willfully install it without realizing it. This is the technique of the [http://en.wikipedia.org/wiki/Trojan_horse_(computing) Trojan horse] or trojan. In broad terms, a Trojan horse is any program that invites the user to run it, concealing harmful or malicious code. The code may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or installing additional harmful software. One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed along with it. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement that states the behavior of the spyware in loose terms, which users may not read or understand. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=7 edit Rootkits Once a malicious program is installed on a system, it is essential that it stay concealed, to avoid detection. Techniques known as [http://en.wikipedia.org/wiki/Rootkit rootkits] allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Some malicious programs contain routines to defend against removal, not merely to hide themselves, but to resist attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing system: Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently stopped program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.[15] http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=8 edit Backdoors A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised, one or more backdoors may be installed in order to allow easier access in the future. Backdoors may also be installed prior to malicious software, to allow attackers entry. The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=9 edit Vulnerability to malware Main article: ''[http://en.wikipedia.org/wiki/Vulnerability_(computing) ''Vulnerability (computing)] *In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application. *Various factors make a system more vulnerable to malware: http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=10 edit Security defects in software Malware exploits security defects (security bugs, or vulnerabilities) in the design of the operating system, in applications (such as browsers—avoid using Internet Explorer 8 or earlier, e.g. on Windows XP[16]), or in (old versions of) browser plugins such as Adobe Flash Player, Adobe Acrobat / Reader, or Java (see Java SE critical security issues).[17][18] Sometimes even installing new versions of such plugins does not automatically uninstall old versions. Security advisories from such companies announce security-related updates.[19] Common vulnerabilities are assigned CVE IDs and listed in the US National Vulnerability Database. Secunia PSI[20] is an example of software, free for personal use, that will check a PC for vulnerable out-of-date software, and attempt to update it. Most systems contain bugs, or loopholes, which may be exploited by malware. A typical example is a buffer-overrun vulnerability, in which an interface designed to store data, in a small area of memory, allows the caller to supply more data than will fit. This extra data then overwrites the interface's own executable structure (past the end of the buffer and other data). In this manner, malware can force the system to execute malicious code, by replacing legitimate code with its own payload of instructions (or data values) copied into live memory, outside the buffer area. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=11 edit Insecure design or user error Originally, PCs had to be booted from floppy disks. Until recently, it was common for a computer to boot from an external boot device by default. This meant that the computer would, by default, boot from a floppy disk, USB flash drive, or CD—and malicious boot code could be used to install malware or boot into a modified operating system. Autorun or autoplay features may allow code to be automatically executed from a floppy disk, CD-ROM or USB device with or without the user’s permission. Older email software would automatically open HTML email containing malicious JavaScript code; users may also unwarily open (execute) malicious email attachments. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=12 edit Over-privileged users and over-privileged code Main article: ''[http://en.wikipedia.org/wiki/Principle_of_least_privilege ''principle of least privilege] *Over-privileged users: some systems allow all users to modify their internal structures. This was the standard operating procedure for early microcomputer and home computer systems, where there was no distinction between an Administrator or root, and a regular user of the system. In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users, acting as a crutch to resolve the privileged access problem inherent in legacy applications. *Over-privileged code: some systems allow code executed by a user to access all rights of that user. Also standard operating procedure for early microcomputer and home computer systems. Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=13 edit Use of the same operating system *Weight of numbers: simply because the vast majority of existing malware is written to attack Windows systems, then Windows systems are more vulnerable to succumbing to malware attacks (regardless of the security strengths or weaknesses of Windows itself). *Homogeneity: e.g. when all computers in a network run the same operating system; upon exploiting one, one worm can exploit them all:[21] For example, Microsoft Windows or Mac OS X have such a large share of the market that concentrating on either could enable an exploited vulnerability to subvert a large number of systems. Instead, introducing diversity, purely for the sake of robustness, could increase short-term costs for training and maintenance. However, having a few diverse nodes would deter total shutdown of the network, and allow those nodes to help with recovery of the infected nodes. Such separate, functional redundancy could avoid the cost of a total shutdown. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=14 edit Anti-malware strategies Main article: ''[http://en.wikipedia.org/wiki/Antivirus_software ''Antivirus software] As malware attacks become more frequent, attention has begun to shift from viruses and spyware protection, to malware protection, and programs that have been specifically developed to combat malware. (Other preventive and recovery measures, such as backup and recovery methods, are mentioned in the computer virus article). http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=15 edit Anti-virus and anti-malware software Anti virus and anti-malware software commonly hooks deep into the operating system's core or kernel functions in a manner similar to how malware itself would attempt to operate, though with the user's informed permission for protecting the system. Any time the operating system does something, the anti-malware software checks that the OS is doing an approved task. This commonly slows down the operating system and/or consumes large amounts of system memory. The goal is to stop any operations the malware may attempt on the system before they occur, including activities which might exploit bugs or trigger unexpected operating system behavior. Anti-malware programs can combat malware in two ways: #They can provide real time protection against the installation of malware software on a computer. This type of spyware protection works the same way as that of antivirus protection in that the anti-malware software scans all incoming network data for malware software and blocks any threats it comes across. #Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of anti-malware software scans the contents of the Windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose which files to delete or keep, or to compare this list to a list of known malware components, removing files that match. Real-time protection from malware works identically to real-time antivirus protection: the software scans disk files at download time, and blocks the activity of components known to represent malware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many malware components are installed as a result of browser exploits or user error, using security software (some of which are anti-malware, though many are not) to "sandbox" browsers (essentially babysit the user and their browser) can also be effective in helping to restrict any damage done. Examples of Microsoft Windows anti virus and anti-malware software include the optional Microsoft Security Essentials[22] (for Windows XP, Vista and Windows 7) for real-time protection, the Windows Malicious Software Removal Tool[23] (now included with Windows (Security) Updates on "Patch Tuesday", the second Tuesday of each month), and Windows Defender (an optional download in the case of Windows XP).[24] Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).[25] Some such free programs are almost as good as commercial competitors.[26] Microsoft's System File Checker can be used to check for and repair corrupted system files. Some viruses disable System Restore and other important Windows tools such as Task Manager and Command Prompt. Many such viruses can be removed by rebooting the computer, entering Windows safe mode with networking, and then using system tools or Microsoft Safety Scanner.[27] http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=16 edit Backup and recovery strategies Backup and recovery strategies are mentioned in the computer virus article. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=17 edit Website security scans As malware also harms the compromised websites (by breaking reputation, blacklisting in search engines, etc.), some websites offer vulnerability scanning. [28] [29] [30] [31] Such scans check the website, detect malware, may note outdated software, and may report known security issues. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=18 edit Eliminating over-privileged code Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most antivirus software almost redundant. It would, however, have appreciable consequences for the user interface and system management. The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code. Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executable. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device. Other approaches are: *Various forms of virtualization, allowing the code unlimited access only to virtual resources *Various forms of sandbox or jail *The security functions of Java, in java.security Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=19 edit Grayware Grayware (or greyware) is a general term that refers to applications or files that are not directly classified as malware (like worms or trojan horses), but can still negatively affect the performance of computers and involve significant security risks. It describes applications that behave in an annoying or undesirable manner, and yet are less serious or troublesome than malware. Grayware encompasses spyware, adware, dialers, joke programs, remote access tools and any other program apart from a virus, that is designed to harm the performance of computers. The term is in use since around 2004.[32] Another term is PUP which stands for Potentially Unwanted Program. Applications unwanted despite have been downloaded by the user, users may fail to read a download agreement. PUPs include spyware, adware, and dialers. http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=20 edit History of viruses and worms Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies and thumb drives so they spread rapidly in computer hobbyist circles. The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities) in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well. With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These [http://en.wikipedia.org/wiki/Macro_virus_(computing) macro viruses] infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code. Today, worms are most commonly written for the Windows OS, although a few like Mare-D[33] and the Lion worm[34] are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network and use vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.[35] http://en.wikipedia.org/w/index.php?title=Malware&action=edit&section=21 edit Academic research Main article: ''[http://en.wikipedia.org/wiki/Malware_research ''Malware research] The notion of a self-reproducing computer program can be traced back to initial theories about the operation of complex automata.[36] John von Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann's postulate and investigated other properties of malware such as detectability, self-obfuscation using rudimentary encryption, and others. His Doctoral dissertation was on the subject of computer viruses.[37]